...
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@ same named beans in previous files. --> <context-param> <param-name>contextConfigLocation</param-name> - <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> + <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> </context-param> <context-param> @@ -27,6 +27,7 @@ </listener> <!-- Filters and filter mappings --> + <!-- Try and force I18N, probably won't help much. --> <filter> <filter-name>CharacterEncodingFilter</filter-name> @@ -40,6 +41,15 @@ <param-value>true</param-value> </init-param> </filter> + <!-- Automates SameSite handling until Java API catches up. --> + <filter> + <filter-name>SameSiteCookieFilter</filter-name> + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> + <init-param> + <param-name>targetBeanName</param-name> + <param-value>shibboleth.SameSiteCookieFilter</param-value> + </init-param> + </filter> <!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. --> <filter> <filter-name>CookieBufferingFilter</filter-name> @@ -64,6 +74,11 @@ <filter-name>SLF4JMDCServletFilter</filter-name> <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class> </filter> + + <filter-mapping> + <filter-name>SameSiteCookieFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> <filter-mapping> <filter-name>CookieBufferingFilter</filter-name> <url-pattern>/profile/admin/*</url-pattern> |
3.4.0→3.4.8
コード ブロック | ||
---|---|---|
| ||
@@ -73,9 +73,11 @@
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
</filter-mapping>
<filter-mapping>
@@ -86,6 +88,7 @@
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
<url-pattern>/Authn/*</url-pattern>
</filter-mapping>
@@ -176,7 +179,6 @@
<http-method>PUT</http-method>
<http-method>PATCH</http-method>
<http-method>DELETE</http-method>
- <http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/> |
3.3.0→3.4.0
コード ブロック | ||
---|---|---|
| ||
@@ -45,6 +45,15 @@
<filter-name>CookieBufferingFilter</filter-name>
<filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
</filter>
+ <!-- Allows control of response headers from within Spring beans. -->
+ <filter>
+ <filter-name>DynamicResponseHeaderFilter</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+ <init-param>
+ <param-name>targetBeanName</param-name>
+ <param-value>shibboleth.ResponseHeaderFilter</param-value>
+ </init-param>
+ </filter>
<!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
<filter>
<filter-name>RequestResponseContextFilter</filter-name>
@@ -57,6 +66,7 @@
</filter>
<filter-mapping>
<filter-name>CookieBufferingFilter</filter-name>
+ <url-pattern>/profile/admin/*</url-pattern>
<url-pattern>/profile/Logout</url-pattern>
<url-pattern>/profile/Shibboleth/SSO</url-pattern>
<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
@@ -69,6 +79,17 @@
<url-pattern>/profile/cas/login</url-pattern>
</filter-mapping>
<filter-mapping>
+ <filter-name>DynamicResponseHeaderFilter</filter-name>
+ <url-pattern>/profile/admin/*</url-pattern>
+ <url-pattern>/profile/Shibboleth/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/cas/login</url-pattern>
+ <url-pattern>/Authn/*</url-pattern>
+ </filter-mapping>
+ <filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
@@ -139,6 +160,14 @@
<location>/profile/RaiseError</location>
</error-page>
+ <session-config>
+ <cookie-config>
+ <http-only>true</http-only>
+ <secure>true</secure>
+ </cookie-config>
+ <tracking-mode>COOKIE</tracking-mode>
+ </session-config>
+
<!-- Block commonly flagged methods by using an empty auth-constraint. -->
<security-constraint>
<web-resource-collection> |
3.2.1→3.3.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@
same named beans in previous files. -->
<context-param>
<param-name>contextConfigLocation</param-name>
- <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value>
+ <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
</context-param>
<context-param>
@@ -52,7 +52,7 @@
</filter>
<!-- Manages logging MDC. -->
<filter>
- <filter-name>SL4JMDCServletFilter</filter-name>
+ <filter-name>SLF4JMDCServletFilter</filter-name>
<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
</filter>
<filter-mapping>
@@ -77,14 +77,10 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
- <filter-name>SL4JMDCServletFilter</filter-name>
+ <filter-name>SLF4JMDCServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- HTTP headers to every response in order to prevent response caching -->
- <!-- <filter> <filter-name>IdPNoCacheFilter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter</filter-class>
- </filter> <filter-mapping> <filter-name>IdPNoCacheFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
-
<!-- Servlets and servlet mappings -->
<servlet>
<servlet-name>idp</servlet-name>
@@ -136,6 +132,35 @@
<servlet-name>shibboleth_jsp</servlet-name>
<url-pattern>/shibboleth</url-pattern>
</servlet-mapping>
+
+ <!-- Send servlet errors through the IdP's MVC error handling. -->
+ <error-page>
+ <exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
+ <location>/profile/RaiseError</location>
+ </error-page>
+
+ <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Non-API Content</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ <http-method>PUT</http-method>
+ <http-method>PATCH</http-method>
+ <http-method>DELETE</http-method>
+ <http-method>OPTIONS</http-method>
+ <http-method>TRACE</http-method>
+ </web-resource-collection>
+ <auth-constraint/>
+ </security-constraint>
+
+ <!-- Allow any HTTP methods to the API flows. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Administrative APIs</web-resource-name>
+ <url-pattern>/profile/admin/*</url-pattern>
+ </web-resource-collection>
+ <!-- no auth-constraint tag here -->
+ </security-constraint>
<!--
Uncomment to use container managed authentication. The new servlet spec (3.1)
@@ -150,7 +175,6 @@
<web-resource-name>user authentication</web-resource-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
- <http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint> |